LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 04-12-2012, 03:59 PM   #1
Ulysses_
Senior Member
 
Registered: Jul 2009
Posts: 1,303

Rep: Reputation: 57
Iptables to allow only ultrasurf+privoxy with ultrasurf as its parent proxy


Privoxy is an HTTP proxy that can be set up to use ultrasurf as a parent proxy, whereby ultrasurf sets up a tunnel to a server provided by Ultrasurf Inc so you access the internet through the tunnel for anonymity while privoxy takes some care of privacy.

This works well. Except ultrasurf also scans certain web servers without telling anyone, which can be blocked with iptables:

iptables -A OUTPUT -p tcp -d 65.49.14.0/24 -j ACCEPT
iptables -A OUTPUT -p tcp -s 65.49.14.0/24 -j ACCEPT
iptables -P OUTPUT DROP

Ultrasurf works happily like this, only able to access its creator's server and nothing else. For example firefox can be set up with ultrasurf as the HTTP proxy, at 127.0.0.1:9666, and it works fine.

However, privoxy does not work with ultrasurf as the parent proxy if the above iptables rules are used. Only seen it working like this:

iptables -P OUTPUT ACCEPT

But then nothing is blocked and ultrasurf does its naughty scanning of assorted web servers without telling anyone.

What rules should be used to block ultrasurf but allow privoxy to have it as its parent proxy?

Last edited by Ulysses_; 04-12-2012 at 04:15 PM.
 
Old 04-13-2012, 06:24 AM   #2
Ulysses_
Senior Member
 
Registered: Jul 2009
Posts: 1,303

Original Poster
Rep: Reputation: 57
Here's the magical rule that makes it work:

iptables -A OUTPUT -d 127.0.0.1 -s 127.0.0.1 -j ACCEPT

Another useful rule that helped discover the need for the above rule:

iptables -A OUTPUT -m limit --limit 5/min -j LOG --log-prefix "iptables OUTPUT chain:" --log-level 7

This generates messages in the log that can be read using:

dmesg | grep "iptables OUTPUT chain:"
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] iptables rule for making able clients to send and receive emails with squid proxy hamzar.pm Linux - Networking 13 01-06-2012 01:03 AM
proxy server that accepts PARENT PROXY as a SOCKS PROXY shadyabhi Linux - Server 1 08-10-2010 03:09 PM
iptables rule to ignore squid proxy server satish Linux - Networking 4 07-02-2008 07:26 AM
configure squid proxy with microsoft proxy as a parent proxy nintykola Linux - Software 1 08-28-2007 01:38 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:47 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration